Last updated: June 2026
Cyber criminals are not waiting for businesses to catch up. They are changing how they approach staff, suppliers, customers and cloud accounts, often using ordinary business tools to make the first contact look harmless. For small and medium businesses, emerging cyber security threats are now an operations, finance, reputation and leadership issue.
The old advice still matters. Strong passwords, software updates, backups and multi-factor authentication remain important. But many attacks now work around controls businesses already have in place. Attackers move conversations from email to phone calls, use QR codes to push users onto mobile devices, steal session tokens after MFA has been completed and use generative AI to make impersonation more convincing.
This guide rebuilds our original article for the current threat landscape and explains four threats Australian business leaders should take seriously in 2026: telephone-oriented attack delivery, MFA bypass, QR code phishing and AI-enabled impersonation.
Why emerging cyber security threats matter to Australian businesses
Australian organisations are attractive targets because they rely on cloud applications, email, online payments and connected supply chains. The ASD’s ACSC Annual Cyber Threat Report 2024–25 reported more than 84,700 cybercrime reports in the financial year, an average of one report every six minutes. For businesses, the average self-reported cost per cybercrime report increased to $80,850.
Those figures matter because most incidents do not begin with a dramatic hack. They often start with something routine: an invoice, a support message, a Teams notification, a QR code, a password reset or a trusted-looking request. The four emerging cyber security threats covered below exploit normal business behaviour, busy people and unclear processes.
Security does not need to make work harder. The goal is to create clear guardrails, practical verification steps and strong identity controls so your people can work confidently, pause at the right moment and report concerns early.
1. Telephone-oriented attack delivery moves phishing onto the phone
Telephone-oriented attack delivery, often shortened to TOAD, is a style of phishing where the attacker tries to move the victim from an email, message or notification into a phone conversation. The message may look like a software renewal, payment problem, invoice dispute, bank alert, subscription charge or support request. Instead of asking the user to click a suspicious link, it tells them to call a number.
This works because many staff have been trained not to click suspicious links, but may be less cautious about calling a number in a trusted-looking message. Once on the phone, the attacker can create urgency and guide the user to install remote access software, approve a login, share a code, confirm payment details or sign in to a fake support portal.
TOAD attacks are especially risky for finance teams, help desks, executives and anyone with access to sensitive systems or payment workflows. They can also bypass traditional email checks because the message may contain no malicious attachment or obvious dangerous link.
To reduce the risk, make verification part of normal business practice. Staff should not call a number supplied in an unexpected message. They should use a known website, saved supplier record or internal contact list to confirm the request. Practical Security Awareness Training should include callback phishing scenarios, not just generic phishing examples.
2. MFA bypass and token theft are targeting identity
Multi-factor authentication is still one of the most important security controls a business can implement. The problem is that attackers know this, so they increasingly look for ways to trick users into completing MFA for them or stealing access after authentication has already succeeded.
Common MFA bypass methods include push fatigue attacks, where a user receives repeated login prompts until they approve one; adversary-in-the-middle phishing, where a fake login page relays the user’s credentials and MFA response to the real service; SIM swap attacks against SMS-based MFA; and session token theft, where the attacker steals a valid session so they can access an account without repeatedly triggering MFA.
Microsoft’s 2025 Digital Defense Report notes that threat actors are developing techniques such as AI-automated phishing and multi-stage attack chains, while also targeting known security gaps in web assets and remote services. This is why businesses should avoid treating MFA as a silver bullet. MFA is essential, but identity security needs layers.
Start by moving away from SMS-based MFA wherever possible. Use phishing-resistant options such as passkeys, FIDO2 security keys or certificate-based authentication for privileged users and high-risk roles. Apply conditional access so logins are assessed based on user risk, device health, location and application sensitivity. Monitor for suspicious sign-ins, impossible travel, new inbox rules, unfamiliar devices and abnormal download behaviour.
If your business relies heavily on Microsoft 365, cloud applications or remote work, strong Identity & Access Management is one of the highest-value security improvements you can make.
3. QR code phishing is built for the mobile workplace
QR code phishing, often called quishing, uses QR codes to send people to malicious websites, fake login pages or malware downloads. The Australian Cyber Security Centre describes quishing as a form of phishing that uses QR codes instead of text-based links in emails, digital platforms or physical items.
QR codes are convenient, which is why attackers like them. They can appear on invoices, posters, parking meters, delivery notices, event material, fake Microsoft 365 alerts or printed stickers placed over legitimate codes. They are also harder to inspect than normal links. With a QR code, people often scan first and think later.
This is a particular issue for hybrid teams because QR codes often move the interaction from a managed business device to a personal phone, bypassing some company email filtering, browser controls and endpoint protection. Once the user lands on a fake login page, the attacker may try to capture credentials, MFA codes or payment details.
Businesses should set clear rules for QR code use. Staff should be cautious with QR codes in emails, PDFs and public places, especially where payment or login details are involved. Finance teams should never approve payments or supplier changes based on a QR code alone. Marketing teams should use trusted QR code platforms, monitor destination URLs and avoid leaving old campaign codes active without review.
Technical controls can also help. Secure mobile browsing, DNS filtering, email security that can analyse QR codes, endpoint protection and phishing-resistant MFA all reduce the chance that a scan becomes an incident. But the most important control is still a staff culture where people are encouraged to stop and ask when something feels unusual.
4. Generative AI is making impersonation harder to spot
Generative AI has legitimate business uses, but it also gives attackers faster and cheaper ways to create convincing scams. A poorly written phishing email used to be easier to spot. Today, attackers can generate polished messages in fluent English, tailor them to a specific role and adjust tone to match a supplier, executive or internal department.
The risk is not limited to text. AI-generated voice and video can make social engineering more believable. A widely reported 2024 case involved a Hong Kong finance worker who was tricked into transferring US$25 million after fraudsters allegedly used deepfake video to impersonate senior staff. Deepfake incidents only need to succeed once in a high-value workflow.
For business leaders, the lesson is simple: seeing or hearing someone on a call is no longer always enough. Payment changes, urgent transfers, password resets, confidential data requests and supplier banking updates should all have independent verification steps. A second channel, such as a known phone number or approval workflow, should be required before action is taken.
AI also changes the scale of attacks. According to Microsoft, AI can help attackers rapidly create impersonation domains and phishing infrastructure, while Verizon’s 2026 DBIR highlights that generative AI is now being used to support multiple attack techniques. Businesses should expect scams to become more personalised, not less.
How to reduce emerging cyber security threats without slowing your team
The best defence is not one product. It is a layered approach that combines people, process and technology. Your team needs clear rules for suspicious requests, your systems need strong identity controls, and your leaders need visibility over the risks that matter most.
Start with the workflows attackers care about most. These include payment approvals, supplier bank detail changes, password resets, remote access requests, executive instructions, customer data exports and privileged administrator access. If those workflows rely on trust alone, they need stronger verification.
- Create verification rules for high-risk requests. Staff should know exactly how to confirm payment changes, urgent transfers and sensitive data requests.
- Use phishing-resistant MFA for critical accounts. Prioritise administrators, executives, finance staff and users with access to sensitive data.
- Monitor identity and email activity. Watch for suspicious sign-ins, new forwarding rules, unusual downloads and impossible travel alerts.
- Secure mobile and cloud access. QR code and mobile phishing risk increases when personal devices sit outside business controls.
- Train with realistic examples. Include TOAD, QR code phishing, MFA prompts, fake Teams messages and AI impersonation scenarios.
- Test backups and incident response. Recovery plans should be rehearsed before ransomware or account compromise occurs.
Common mistakes that leave businesses exposed
One common mistake is assuming that cyber security is solved because MFA is switched on. MFA needs to be configured properly, monitored and supported by conditional access. SMS-based MFA, unmanaged devices and weak account recovery processes can still create gaps.
Another mistake is training staff only on old phishing examples. If awareness training focuses only on suspicious links and spelling mistakes, it will miss phone-based scams, QR code phishing, fake collaboration alerts, AI-written messages and deepfake-style impersonation.
A third mistake is leaving finance and supplier workflows too informal. Attackers love vague approval processes. If one email or phone call can change bank details, approve an urgent payment or trigger a password reset, the business is exposed.
Finally, many businesses do not know what they would do in the first hour of an incident. A simple incident response plan should define who disables accounts, contacts banks, preserves evidence, communicates with customers and calls for help.
How Stanfield IT can help
Stanfield IT helps Australian businesses strengthen cyber security in a practical, business-friendly way. We focus on reducing real risk, improving resilience and making technology easier to manage. That means helping you identify the gaps that matter, prioritise the right improvements and support your people with clear guidance.
Our Cyber Security Services can help with security assessments, Microsoft 365 hardening, identity and access controls, endpoint protection, monitoring, incident response planning, backups, staff training and ongoing security improvement. We work with businesses that need stronger protection but do not want confusing advice, unnecessary complexity or security changes that frustrate staff.
If your business is unsure how exposed it is to these emerging cyber security threats, a practical security review is a good place to start. You will get a clearer picture of your current risk, which controls should be improved first and how to reduce risk without creating unnecessary friction for your team.
Frequently asked questions
What are the biggest emerging cyber security threats for businesses?
For many businesses, the key threats are callback phishing, MFA bypass, QR code phishing and AI-enabled impersonation. These threats are dangerous because they exploit normal business behaviour, not just technical vulnerabilities.
Is multi-factor authentication still worth using?
Yes. MFA remains one of the most important security controls available. The issue is that businesses should use stronger MFA methods, monitor identity activity and avoid relying on MFA alone.
How can businesses stop QR code phishing?
Use staff training, safe browsing controls, secure mobile access, email security that can analyse QR codes and clear rules for payments or logins triggered by QR codes. Staff should verify before scanning when the context feels unusual.
Can small businesses be targeted with AI scams?
Yes. AI tools make it easier for attackers to create convincing emails, messages, voice clips and impersonation attempts. Small businesses should use verification steps for payments, supplier changes and sensitive requests.
Ready to improve your cyber security?
Cyber threats will keep changing, but your business does not need to feel exposed or overwhelmed. The best way to handle emerging cyber security threats is to build strong foundations: secure identities, trained people, verified workflows, monitored systems and a response plan that is ready before something goes wrong.
If your business wants clearer, more practical cyber security support, talk to Stanfield IT. We can help you understand your risks, prioritise the right improvements and build a safer technology environment for your team.
